Safeguard your identity and password.
Some services and data you access are private or sensitive. Nobody should access or change your email, files, class schedules, medical history, budget, research data, or grades but you. Access to those services are authorized based on your identity. Your password is your proof of your identity. When passwords are compromised, the criminal takes on your identity and can do anything you can do (and perhaps even more!).
Passwords may be compromised by any of a number of methods. Here they are in relative order of frequency along with the things you can do to decrease risk.
You give them to criminals who fooled you with a "phishing" message or fake web site.
The ONLY site authorized to change your JMU eID password is the MyMadison portal at https://mymadison.jmu.edu. Set a bookmark in your browser or type it in. Do not follow links in email. Do not send your password in email.
This is probably the most common way passwords are compromised. It is up to you to determine if an email message or web site is real. Unfortunately, in this day and age that can be difficult. Still, some basic practices and tells can be used to validate most JMU email messages and web sites.
Criminals break into one of your service providers and steal them in bulk.
There isn't a lot you can do about a failure of security at one of your service providers but you can limit losses.
Generally, the provider protects the stored secrets with cryptography but can they can still be cracked given enough time. And if the intruder isn't detected, they're free to gather unprotected passwords as they pass through the service in real time for as long as they maintain control.
If you use the same password on multiple sites, a security failure by one site may allow the criminal to access your other sites.
You type them into a compromised, untrustworthy, or shared device.
The device may be your own virus infected computer or someone else's device. The device may be set up purposely to collect passwords or may inadvertently store them...sometimes at our behest (e.g. "Would you like to remember this password?" or "Keep Me Signed In").
Have you logged into Gmail from a lab or library computer lately? If you didn't sign out of Gmail or restart the computer when you were done, the next person who used the computer and visited the Gmail web site was automatically logged into your Gmail account. Even if you logged out of the computer. You may experience similar issues with other services you patronize. The Amazon site will remember who you are but fortunately will make you sign in again to view any information or submit any orders.
This is all brought to you by the miracle of web cookies. They are bits of information about you that web sites store on your computer...or on a shared computer if that is what you happen to be using. When you visit the site again, the web site can retrieve them to remember information about you or even automatically log you in...even if someone else happens to be at the keyboard at the time. Google decided to make automatic login the default behavior.
What to do?
For Gmail, uncheck the box labeled "Stay Signed In" before logging in. If you forget to do that, you can still protect yourself. After you are done using the service, click your account photo or email address in the top right corner and select "sign out". (Taken from Google's Gmail Security Checklist step 9 - advice for shared computers).
Dukes email (Office 365) offers the same automatic login functionality but it is disabled by default. (The Keep Me Signed In box is unchecked)
When computers in most computer labs on campus are restarted, they overwrite everything that currently exists on the computer. They effectively reinstall themselves and you get a new computer. There are at least two benefits associated with this:
Simply logging out does not provide those benefits. Only completely restarting the computer will overwrite the data. The downside is the time it takes to restart the computer.
Not all providers of public computers offer this functionality. Check with your provider. If they don't provide the feature, you can clear private data (e.g. cookies, cache) using the browser menus to accomplish similar results.
Keep in mind that if you log into a computer belonging to an acquaintance, the same scenarios apply.
If maximum security is required, a public shared computer should not be used.
You use vulnerable communications links or protocols.
For example, a poorly configured wireless network or a service like FTP, Telnet, or even HTTP with no S (i.e. HTTPS).
You choose a password that is easy to guess or use a password reset mechanism that is easy for a criminal to use.
For example, if you can reset your password with a secret question like "What color is my favorite sweater", how many times do you think it will take a criminal to guess the right color? Using public information for the answer to a secret question is similarly ineffective as a security measure.
What to do if your password is compromised
Your mailbox may be full of spam, bounced messages, and angry responses and threats from those who received spam and criminal mail from your account. They may have read or deleted everything you've sent in the past month. But that may be the least of the problems.
Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:
How, you may ask, am I ever going to remember such a complicated password?
One of the most unpopular security recommendations, after choosing hard to remember passwords, is the one that asks us to throw away those passwords after we finally get to the point where we can remember them.
If our ATM card gets stolen we know it. If our keys get stolen, we'll probably miss them before someone manages to copy and return them. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of an eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s).
While our passwords are usually protected with cryptography and are often inaccessible, there are circumstances, sometimes beyond our control, when they are available either over the network or on a system.
Even when protected with cryptography, we're gambling somewhat if the password is accessible. While it may take five years to do an exhaustive search through all the possible combinations using the latest encryption scheme there are some practical points to remember:
Lots of things can result in the compromise of a password. If that password protects a lot of things or if it protects things that are important, isn't it worth the trouble to rejuvenate it once in a while by changing it?